...
Medical events Access policy can be found here
General Concept design
- ABAC is an independent microservice
- It is responsible for granting access to resources based on attributes of any business entity that are requesting access for.
- Service will not support UI editing of rules
- Service should provide RPC (or similar as service must not spend additional computation time on decoding/encoding and networking)
- Service must store audit log in files with two main events: "Successful access grants", "Access rejects".
- Service must cache data for resources, with cache lifetime on per resource sets
- ABAC is additional level of authorization on the top of the regular scope-based access model.
...
- ABAC might (NOT MUST) be used as a plug for any ME endpoint or even ehealth endpoint. Otherwise there might be performance issues.
- It should be checked on the gateway level.
- We do limit access by default. It means that all the rules describe conditions when access is allowed. If there is no rule matched - access is forbidden.
- If ABAC failed to answer - access is forbidden.
- ABAC - mission critical service
- interfaceInterface: external: http, data providers: RPC
- Input:
- WHO
- user_id
- client_id + client_type
- action: CREATE, READ, UPDATE, DELETE
- WHAT
-
object_type(resource) + object_id(optional) - list of contexts (patient, episode):
object_type + object_id
-
- WHO
- Output:
- decision: true/false
To be considered in future!! Conditions - optional. Is relevant for lists. Defines additional instructions for the requested application.Anchor Future Future - For example: client_id context should be applied
- For example: speciality context should be applied
- Technically ABAC can take decision based on attributes of any entity. But to minimize load on the service it has been decided that we do restrict access not lower that on EPISODE level.
- examples:
- access to endpoint like `/api/patients/{patient_id}/conditions/{condition_id}` will be granted based on patient level rule
- access to endpoint like `/api/patients/{patient_id}/conditions/` will be granted based on patient level rule
- access to endpoint like `/api/patients/{patient_id}/episodes/{episode_id}/encounters/` can be granted based on patient or episode level rule
- If there is a rule that allows user to get access to the patient level, but no rule that allows on the episode level, access should be allowed
- examples:
Limitations
- ABAC doesn't provide possibility to manage access to lists of resources - May be implemented in future
- It means that if there is a business rule that '/api/patients/{patient_id}/conditions/' should return only conditions that are referenced to episodes of the legal_entity. This rule will not be implemented on ABAC
Limitations
- When accessing list of entities, ABAC can only grant access to the whole list or forbid the whole list. ABAC does not cut the response in order to show only entities allowed by the rules.
- When accessing list of entities, only one rule could be applied. That means ALL entities from the requested list should be allowed by that one rule. To achieve this, search parameters are used as context. For example, to read episodes, created in the doctor's MSP, doctor can request list of episodes, filtered by managing_organization_id. Managing organization, in this case, will be considered as a context and validated by corresponding rules. If one of the rule returns true, user can access the requested list. This way each entity from the list wasn`t validated by each rule separately, that significantly saves computing time.
Architecture
Data model
...
https://docs.google.com/spreadsheets/d/1A59VIXzxJGLxdd6XH2siPQqOcgVfkGy-1mpR7_4vK4Y/edit#gid=0